b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n                   OIG REPORT TO OMB ON THE\n             NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                      COMPLIANCE WITH THE\n                 FEDERAL INFORMATION SECURITY\n                       MANAGEMENT ACT\n                             2004\n\n             Report #OIG-04-06               September 30, 2004\n\n\n\n\n                                  Herbert S. Yolles\n                                 Inspector General\n\n\n        Released By:                            Auditor-in-Charge:\n\n\n\n William A. DeSarno                             Tammy F. Rapp, CPA, CISA\n Deputy Inspector General for Audits            Sr. Information Technology Auditor\n\x0c                       REPORT TO OMB ON NCUA\xe2\x80\x99S COMPLIANCE WITH THE\n                    FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2004\n                                     Report # OIG-04-06\n\n                                     TABLE OF CONTENTS\n\n\n\n\nSection                                                                               Page\n\n    I        Executive Summary                                                          i\n\n    II       Office of Management & Budget Report Format                                1\n\nExhibits\n\n    A        Independent Evaluation of the NCUA Information Security Program - 2004\n\n    B        NCUA Financial Statement Audits \xe2\x80\x93 2003\n                  FY03 Information Technology Controls Review\n\n\n\n\nNote: Exhibits transmittal separately and restricted for official use only.\n\x0c                    REPORT TO OMB ON NCUA\xe2\x80\x99S COMPLIANCE WITH THE\n                 FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2004\n                                  Report # OIG-04-06\n\n                              I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Cotton & Company LLP to conduct an independent evaluation of NCUA\xe2\x80\x99s information\nsystems (IS) and security program and controls for compliance with the Federal Information\nSecurity Management Act (FISMA), Title III of the E-Government Act of 2002.\n\nThe Office of Management & Budget (OMB) issued 2004 Guidance on Annual Information\nTechnology Security Reports on August 23, 2004. This guidance provides clarification to\nagencies for implementing, meeting, and reporting FISMA requirements to OMB and the\nCongress. This report contains a summary of our evaluation of the NCUA\xe2\x80\x99s information security\nprogram and is presented in the OMB prescribed format.\n\nThe OIG issued two reports during the past year that reported on the testing of the effectiveness\nof information security and internal controls:\n\n   \xe2\x80\xa2   On September 30, 2004, the OIG issued a report containing an Independent Evaluation\n       of the NCUA\xe2\x80\x99s Information Security Program \xe2\x80\x93 2004. The content of the independent\n       evaluation report supports the conclusions presented in this report. Refer to Exhibit A\n       for the complete independent evaluation.\n\n   \xe2\x80\xa2   On March 31, 2004, the OIG issued the Financial Statement Audit Report for the year\n       ended December 31, 2003. The purpose of this audit was to express an opinion on\n       whether the financial statements were fairly presented. In addition, the internal control\n       structure was reviewed and an evaluation of compliance with laws and regulations was\n       performed as part of the audit. The result of this audit was an unqualified opinion,\n       stating that the financial statements were presented fairly. Although there were no\n       material weaknesses identified during the review of the internal control structures\n       pertinent to financial report, nine recommendations were made relating to weaknesses in\n       the area of information security. Refer to Exhibit B for the Information Technology\n       Controls Review report.\n\nThe Chief Information Officer (CIO) has made progress during the past year to improve NCUA's\nIT infrastructure. During 2004, NCUA accomplished the following:\n\n       \xe2\x80\xa2      Completed an interim certification and accreditation of their general support\n              system;\n       \xe2\x80\xa2      Completed and updated several security plans and risk assessments; and\n       \xe2\x80\xa2      Identified and reported 114 weaknesses in the NCUA Plans of Action and\n              Milestones (POA&M) report. Of the 114 items, 60 were completed, 38 have\n              milestones or completion dates that are due after the FISMA report date, 8 were\n              delayed, the OCIO made risk based decisions to accept risk on 6, and 2 were\n              identified as significant deficiencies for this year\xe2\x80\x99s FISMA reporting cycle.\n\nHowever, two significant deficiencies concerning NCUA\xe2\x80\x99s security program carried over from\nlast year\xe2\x80\x99s independent evaluation still have not been fully addressed. First, we determined\nthat information stored on examiners\xe2\x80\x99 laptop computers has not been addressed as part of\nNCUA\xe2\x80\x99s information security program. We\xe2\x80\x99ve noted that NCUA has taken some measures to\nprotect information on examiners laptops. However, a formal review of the risks involved and\nprotections necessary to address these risks has not been conducted. This could result in the\nintentional or accidental release of credit union member information.\n\n                                                i\n\x0c                    REPORT TO OMB ON NCUA\xe2\x80\x99S COMPLIANCE WITH THE\n                 FEDERAL INFORMATION SECURITY MANAGEMENT ACT - 2004\n                                  Report # OIG-04-06\n\n\nSecond, we noted several weaknesses related to the underlying general support systems and\nnetwork components. This is significant because every application relies on the security of the\noperating system and network infrastructure on which it resides. Prevention of unauthorized\naccess is necessary to ensure infrastructure security. Therefore if the underlying operating\nsystems and network components are not secure, then the applications themselves cannot be\nassured of being secure. NCUA\xe2\x80\x99s general support system is operating under an interim\naccreditation based on several weaknesses identified during the formal certification process. As\nof the ending date of fieldwork, the general support system is operating at medium to high risk\nbecause NCUA has not corrected or accepted risk on weaknesses identified during the interim\ncertification.\n\nWhile we noted other weaknesses in IT controls, we concluded the two conditions described\nabove are the most significant to NCUA. Additionally, both of these conditions were reported in\nlast year\xe2\x80\x99s FISMA review as material weaknesses. We encourage NCUA\xe2\x80\x99s Executive Director,\nthe Director of the Office of Examination and Insurance, and the CIO to address these issues as\nsoon as possible.\n\n\n\n\n                                             ii\n\x0c"